Blogroll

FeedJit

Reading: Exploding The Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell

Written by Phil Lapsley with foreword by Steve Wozniak. It’s a fascinating trip through the days of yore and it triggers memories I have of the time.

It’s the story on how a bunch of people accidentally or intentionally discovered one of the bigger security flaws of Ma Bell at the time.

When engineers in the 1930’s and 1940’s were putting the long distance network together so it could be dialed by customers, a choice was made to use audible signalling and keep that signalling in-band. In other words it took the same path the voice portion of the call took. And Ma Bell published quite a bit – she told everyone what the frequency pairs were.

I can recall too back in the early 1980’s a friend of mine had an Apple II machine with Novation CAT modem in it. The CAT was fully capable of generating ALL the tones used by Ma Bell. Spent many an hour on the 2111 conference with my friend. It was pretty interesting. Even got a demonstration of tandem stacking too. That was funny. It was all possible because of two factors – East Greenwich RI was still on older electromechanical switching systems and RI wasn’t a big target. So yes, a fair amount of Blue Boxing was done.

Of course Ma Bell took a heavy hand in all this – to the point of actually violating a few laws itself to try to get a handle on the problem of fraud in the system. It ultimately culminated in a completely separate network being built to handle all the call supervision and signalling. At the time it was SS5 or Signalling System 5. That eliminated the Blue Box capabilities. But you have to remember it took Ma Bell and her Children until the early 1990’s to get all of the network on what was then SS7. So you could still Blue Box from certain locations.

I should explain the Blue box – in essence Ma Bell used 2600Hz to return supervision, and the combinations of frequencies to move calls around on the network.. The Blue Box was a portable device that could create those combinations.

My trip through phone systems started with a descendant of the Southern Pacific Railroad which we know of today as Sprint. Back then you dialed a local access number, keyed in a six digit code and then the ten digit phone number you wanted to call. I had gotten a list of about 10 or so of these codes and I spotted something, they met a pattern.

At the time I had my DC-II modem on my machine – it had the capability of sending DTMF as well as being able to tell when dial tone was present. So I wrote an algorithm with the pattern I’d seen in mind. I let it run for a couple of days. What I had at the end were 500 codes. Let’s just say my friends and I weren’t paying for long distance calls.

It lay fallow for almost twenty years but then I found myself in a position of understand toll fraud on PBX’s which was pretty hefty. So I helped out in a few office that I worked in to secure the AT&T built PBX’s. I read all about those and the switches within the Bell System too. So I know a thing or two about their capabilities. One tour of a then New England Telephone #5 ESS was enlightening. This was right around the later 1980’s and the time of law enforcement wanting access on the switches to perform investigations. I believe it was call CALEA. I found out on that tour that not only did the cops have access, the switch guys had access too. They could listen in to any call in the digital voice stream. Interesting.

Then of course I was the beneficiary of the daughter of all fuck ups with then Nynex at the time. I had moved from North Providence and the 401-725 exchange and coming back to Providence. So I called Nynex and requested the move in service. The installer came out, put in the jack and that was that. But month after month for nearly two years I got no bill. I had occasionally called Nynex at the time but the customer service reps would say they have no record of the phone number. Interesting.

In the last six or so months I called Nynex almost daily to convince them I was calling from that line. Called repair to verify the line. Yup. It’s connected. But billing had no idea. Finally I got a CSR with more than two brain cells and we puzzled it out. Apparently the work order had gone in, but it was never returned to billing. So I paid $140 at the time and then started receiving a monthly bill.

But the more interesting part this was at the point in time where you could choose your long distance carrier. I went with the default at&t since I rarely made long distance calls. But I did make them on occasion and they never billed. The Nynex CSR had no visibility into the long distance side.

I found out from a friend in New Jersey what happened. He called me and said he got a call from the VA asking who was calling him from the VA. I understood what happened ; my number ended in 0716, the local VA hospital was on the same exchange in the 70xx group and they had transposed digits to 7016. The VA was paying for my long distance. Sloppy screw up on Nynex’s part I suppose.